US7895654B1 - Efficient file scanning using secure listing of file modification times - Google Patents

Efficient file scanning using secure listing of file modification times Download PDF

Info

Publication number
US7895654B1
US7895654B1 US11/167,521 US16752105A US7895654B1 US 7895654 B1 US7895654 B1 US 7895654B1 US 16752105 A US16752105 A US 16752105A US 7895654 B1 US7895654 B1 US 7895654B1
Authority
US
United States
Prior art keywords
files
file
record
modifications
scanning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US11/167,521
Inventor
John Millard
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gen Digital Inc
Original Assignee
Symantec Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Symantec Corp filed Critical Symantec Corp
Priority to US11/167,521 priority Critical patent/US7895654B1/en
Assigned to SYMANTEC CORPORATION reassignment SYMANTEC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MILLARD, JOHN
Application granted granted Critical
Publication of US7895654B1 publication Critical patent/US7895654B1/en
Assigned to JPMORGAN, N.A. reassignment JPMORGAN, N.A. SECURITY AGREEMENT Assignors: BLUE COAT LLC, LIFELOCK, INC,, SYMANTEC CORPORATION, SYMANTEC OPERATING CORPORATION
Assigned to NortonLifeLock Inc. reassignment NortonLifeLock Inc. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: SYMANTEC CORPORATION
Assigned to BANK OF AMERICA, N.A., AS COLLATERAL AGENT reassignment BANK OF AMERICA, N.A., AS COLLATERAL AGENT SECURITY AGREEMENT Assignors: NortonLifeLock Inc.
Assigned to BANK OF AMERICA, N.A., AS COLLATERAL AGENT reassignment BANK OF AMERICA, N.A., AS COLLATERAL AGENT NOTICE OF SUCCESSION OF AGENCY (REEL 050926 / FRAME 0560) Assignors: JPMORGAN CHASE BANK, N.A.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2151Time stamp

Definitions

  • This invention pertains generally to computer security, and more specifically to using a secure listing of file modification times to efficiently scan files for malicious code.
  • a scanning optimization manager maintains a non-tamperable record of modifications to files on a volume.
  • the scanning optimization manager receives at least one malicious code signature. Responsive to the receipt of the at least one malicious code signature, the scanning optimization manager scans at least M some files on the volume for the at least one malicious code signature at a priority corresponding to an associated modification status.
  • FIG. 1 is a block diagram illustrating a high level overview of a system for efficiently scanning files for malicious code according to some embodiments of the present invention.
  • FIG. 2 is a flowchart, illustrating steps for efficiently scanning files for malicious code, according to some embodiments of the present invention.
  • FIG. 1 illustrates a high level overview of a system 100 for practicing some embodiments of the present invention.
  • a scanning optimization manager 101 optimizes the scanning of files 103 on a volume 105 for malicious code by referring to a secure listing of file modification times 107 .
  • a scanning optimization manager 101 refers to a collection of functionalities which can be implemented as software, hardware, firmware or any combination of these.
  • a scanning optimization manager 101 is implemented as software, it can be implemented as a standalone program, but can also be implemented in other ways, for example as part of a larger program, as a plurality of separate programs, as one or more device drivers or as one or more statically or dynamically linked libraries.
  • a scanning optimization manager 101 can be instantiated as part of an anti-malicious code software package 108 (as illustrated in FIG. 1 ) or as a component separate from the anti-malicious code software 108 that works in conjunction therewith.
  • a scanning optimization manager 101 can be instantiated on and/or as part of a server, client, firewall, intrusion detection system, proxy, gateway, switch and/or any combination of these and/or other computing devices and/or platforms.
  • the scanning optimization manager 101 maintains a non-tamperable record 107 of modifications to files 103 on a volume 105 .
  • the scanning optimization manager 101 detects modifications being made to files 103 on the volume 105 , for example file writes made by processes 109 .
  • Methodologies for detecting modifications being made to files 103 are known to those of ordinary skill in the relevant art, and the implementation mechanics of their use within the context of the present invention will be readily apparent to those so skilled in light of this specification. For example, system calls for modifying files 103 can be intercepted, or a file system filter driver can be used, or regular notifications from the operating system on file change can be used.
  • modifications of temporary files 103 are not recorded. Additionally, many files 103 that are modified are deleted very shortly thereafter. In some embodiments, modified files 103 are watched for a short period of time (e.g., 30 seconds, 60 seconds, etc.) to determine whether they are subsequently deleted. Only if a file 103 is not deleted shortly after being modified is the modification logged. This cuts down on the number of files 103 that are logged for subsequent priority scanning. The exact interval can be adjusted by the end user for optimal performance on their machine.
  • the scanning optimization manager 101 stores a secure record 107 of times at which modifications to files 103 are made. This record 107 is typically kept locked for exclusive access by the scanning optimization manager 101 , and protected from access by other paths. How far back to maintain file 103 modification data is a variable design choice. Typically, files 103 that have not been modified within about two weeks are unlikely to be contain malicious code on a properly managed computer. Thus, in one embodiment, the scanning optimization manager 101 maintains the modification record 107 such that it contains a listing of modifications executed within the past two weeks. Of course, the record 107 can go back further (or less far) as desired, as space and efficiency permit.
  • anti-malicious code software 108 receives new or updated malicious code signatures 111 (e.g., from a server computer as part of an anti-malicious code software 108 signature 111 update process), as updated signatures 111 are identified and made available.
  • the scanning optimization manager 101 scans at least some files 103 on the volume 105 for the malicious code signature 111 at a priority corresponding to the associated modification status (e.g., when the file 103 was last modified). The usual priority would be to scan the most recently modified files first, as these are files most at risk for being malicious.
  • the priority can be established by a combination of factors, (e.g., the modification date, position on the volume).
  • the files 103 are grouped by access date, and then scanned within each group in the order in which they occur on the volume.
  • the scanning optimization manager 101 scans 201 files 103 last modified within a defined time period at a high priority (e.g., as soon as possible) and scans 203 files 103 last modified prior to the defined time period (or not modified at all) at a low priority (e.g., in the background, or only when the CPU is otherwise idle).
  • a high priority e.g., as soon as possible
  • scans 203 files 103 last modified prior to the defined time period (or not modified at all) at a low priority (e.g., in the background, or only when the CPU is otherwise idle).
  • the value of the defined time period is a variable design parameter (for example, two weeks, ten days, three weeks).
  • the scanning optimization manager 101 scans 201 files 103 last modified within the defined time period at a high priority, scans 205 files 103 last modified prior to the defined time period at a low priority, and does not scan 207 unmodified files 103 at all.
  • the scanning optimization in manager 101 scans 201 files 103 last modified within the defined time period, but does not scan 209 files last modified prior to the defined time period or unmodified files.
  • anti-malicious code software 108 receives new or updated malicious code signatures 111 (e.g., from a server computer as part of an anti-malicious code software 108 signature 111 update process), as updated signatures 111 are identified and made available. Responsive to the receipt of a malicious code methodologies and other aspects of the invention can be implemented as software, hardware, firmware or any combination of the three.
  • a component of the present invention is implemented as software
  • the component can be implemented as a script, as a standalone program, as part of a larger program, as a plurality of separate scripts and/or programs, as a statically or dynamically linked library, as a kernel loadable module, as a device driver, as executable program code stored on a computer-readable medium such as a hard drive, and/or in every and any other way known to those of skill in the art of computer programming.
  • the present invention is in no way limited to implementation in any specific programming language, or for any specific operating system or environment. Accordingly, the disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A scanning optimization manager efficiently scans files for malicious code. The scanning optimization manager maintains a non-tamperable record of modifications to files on a volume. The scanning optimization manager receives at least one malicious code signature. Responsive to the receipt of the at least one malicious code signature, the scanning optimization manager scans at least some files on the volume for the at least one malicious code signature at a priority corresponding to an associated modification status.

Description

TECHNICAL FIELD
This invention pertains generally to computer security, and more specifically to using a secure listing of file modification times to efficiently scan files for malicious code.
BACKGROUND
The time required to scan files on a volume for malicious code is a significant performance issue for anti-malicious code software. As volumes become increasingly large, scan times become slower. Decreasing the amount of time required for such scanning would be highly desirable.
The only time that a volume actually needs to be scanned is upon the receipt of new or updated malicious code signatures. Thus scheduled scans (e.g., weekly scans) are not optimal, as they can be executed unnecessarily, when no new malicious code signatures have arrived, and/or fail to be executed when new signatures are received. This shortcoming can be addressed by scanning the volume whenever a new malicious code signature is received. However, scanning the entire volume every time signatures are received is slow. The only files which are likely to be malicious are recently modified or arrived files, since infection of a file by malicious code necessitates modifying the file, or if a worm arrives, then it must be created on the volume. Therefore, only the more recently modified files need to be scanned when new malicious code signatures arrive.
Using the file system modification date to determine which files to scan or the order in which to scan files is not reliable, because this data is not secure. Malicious code can and often does set this date back, so as to attempt to hide the infection or arrival of the file. Thus, scanning only files that appear to be recently modified according to the file system could result in overlooking infected files. The volume change log (where one exists) is also insecure, and thus cannot be relied on for the same reasons.
What is needed are computer implemented methods, computer readable media and computer systems for scanning files on a volume at a priority corresponding to the actual most recent modification time, upon receipt of new malicious code signatures.
DISCLOSURE OF INVENTION
Computer-implemented methods, computer systems and computer-readable media efficiently scan files for malicious code. More specifically, a scanning optimization manager maintains a non-tamperable record of modifications to files on a volume. The scanning optimization manager receives at least one malicious code signature. Responsive to the receipt of the at least one malicious code signature, the scanning optimization manager scans at least M some files on the volume for the at least one malicious code signature at a priority corresponding to an associated modification status.
The features and advantages described in this disclosure and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram illustrating a high level overview of a system for efficiently scanning files for malicious code according to some embodiments of the present invention.
FIG. 2 is a flowchart, illustrating steps for efficiently scanning files for malicious code, according to some embodiments of the present invention.
The Figures depict embodiments of the present invention for purposes of illustration only. One skilled in the art will readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein.
DETAILED DESCRIPTION
FIG. 1 illustrates a high level overview of a system 100 for practicing some embodiments of the present invention. A scanning optimization manager 101 optimizes the scanning of files 103 on a volume 105 for malicious code by referring to a secure listing of file modification times 107. It is to be understood that although the scanning optimization manager 101 is illustrated as a single entity, as the term is used herein a scanning optimization manager 101 refers to a collection of functionalities which can be implemented as software, hardware, firmware or any combination of these. Where a scanning optimization manager 101 is implemented as software, it can be implemented as a standalone program, but can also be implemented in other ways, for example as part of a larger program, as a plurality of separate programs, as one or more device drivers or as one or more statically or dynamically linked libraries.
It is to be further understood that a scanning optimization manager 101 can be instantiated as part of an anti-malicious code software package 108 (as illustrated in FIG. 1) or as a component separate from the anti-malicious code software 108 that works in conjunction therewith. A scanning optimization manager 101 can be instantiated on and/or as part of a server, client, firewall, intrusion detection system, proxy, gateway, switch and/or any combination of these and/or other computing devices and/or platforms.
As illustrated in FIG. 1, the scanning optimization manager 101 maintains a non-tamperable record 107 of modifications to files 103 on a volume 105. In one embodiment, the scanning optimization manager 101 detects modifications being made to files 103 on the volume 105, for example file writes made by processes 109. Methodologies for detecting modifications being made to files 103 are known to those of ordinary skill in the relevant art, and the implementation mechanics of their use within the context of the present invention will be readily apparent to those so skilled in light of this specification. For example, system calls for modifying files 103 can be intercepted, or a file system filter driver can be used, or regular notifications from the operating system on file change can be used.
In many (but not all) embodiments of the present invention, modifications of temporary files 103 are not recorded. Additionally, many files 103 that are modified are deleted very shortly thereafter. In some embodiments, modified files 103 are watched for a short period of time (e.g., 30 seconds, 60 seconds, etc.) to determine whether they are subsequently deleted. Only if a file 103 is not deleted shortly after being modified is the modification logged. This cuts down on the number of files 103 that are logged for subsequent priority scanning. The exact interval can be adjusted by the end user for optimal performance on their machine.
As noted above, the scanning optimization manager 101 stores a secure record 107 of times at which modifications to files 103 are made. This record 107 is typically kept locked for exclusive access by the scanning optimization manager 101, and protected from access by other paths. How far back to maintain file 103 modification data is a variable design choice. Typically, files 103 that have not been modified within about two weeks are unlikely to be contain malicious code on a properly managed computer. Thus, in one embodiment, the scanning optimization manager 101 maintains the modification record 107 such that it contains a listing of modifications executed within the past two weeks. Of course, the record 107 can go back further (or less far) as desired, as space and efficiency permit.
Over time, anti-malicious code software 108 (e.g., anti-virus software) receives new or updated malicious code signatures 111 (e.g., from a server computer as part of an anti-malicious code software 108 signature 111 update process), as updated signatures 111 are identified and made available. Responsive to the receipt of a malicious code signature 111, the scanning optimization manager 101 scans at least some files 103 on the volume 105 for the malicious code signature 111 at a priority corresponding to the associated modification status (e.g., when the file 103 was last modified). The usual priority would be to scan the most recently modified files first, as these are files most at risk for being malicious.
The priority can be established by a combination of factors, (e.g., the modification date, position on the volume). In one embodiment the files 103 are grouped by access date, and then scanned within each group in the order in which they occur on the volume.
As illustrated in FIG. 2, in various embodiments of the present invention, many variations can be employed in order to scan files 103 at a priority corresponding to an associated modification status. For example, in some embodiments, the scanning optimization manager 101 scans 201 files 103 last modified within a defined time period at a high priority (e.g., as soon as possible) and scans 203 files 103 last modified prior to the defined time period (or not modified at all) at a low priority (e.g., in the background, or only when the CPU is otherwise idle). It is to be understood that the value of the defined time period is a variable design parameter (for example, two weeks, ten days, three weeks).
In some embodiments, the scanning optimization manager 101 scans 201 files 103 last modified within the defined time period at a high priority, scans 205 files 103 last modified prior to the defined time period at a low priority, and does not scan 207 unmodified files 103 at all.
In yet other embodiments, the scanning optimization in manager 101 scans 201 files 103 last modified within the defined time period, but does not scan 209 files last modified prior to the defined time period or unmodified files.
Over time, anti-malicious code software 108 (e.g., anti-virus software) receives new or updated malicious code signatures 111 (e.g., from a server computer as part of an anti-malicious code software 108 signature 111 update process), as updated signatures 111 are identified and made available. Responsive to the receipt of a malicious code methodologies and other aspects of the invention can be implemented as software, hardware, firmware or any combination of the three. Of course, wherever a component of the present invention is implemented as software, the component can be implemented as a script, as a standalone program, as part of a larger program, as a plurality of separate scripts and/or programs, as a statically or dynamically linked library, as a kernel loadable module, as a device driver, as executable program code stored on a computer-readable medium such as a hard drive, and/or in every and any other way known to those of skill in the art of computer programming. Additionally, the present invention is in no way limited to implementation in any specific programming language, or for any specific operating system or environment. Accordingly, the disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.

Claims (21)

1. A computer implemented method for efficiently scanning files for malicious code, the method comprising the steps of:
maintaining a non-tamperable record of modifications to files on a volume, the record of modifications to files indicating modification statuses of the files, a modification status indicating when an associated file was last modified, wherein maintaining the non-tamperable record further comprises:
responsive to a first file being modified, monitoring the first file for a short period of time after the modification to determine whether the first file is deleted during the short period of time, and
performing a step from a group of steps comprising:
responsive to the first file not being deleted during the short period of time, recording the modification to the first file, and
responsive to the first file being deleted during the short period of time, not recording the modification to the first file;
receiving at least one malicious code signature;
establishing a defined time period measured as an amount of time prior to a current time at which scanning is to be performed;
establishing a high priority for files last modified within the defined time period;
establishing a low priority for files last modified prior to the defined time period; and
scanning files on the volume for the at least one malicious code signature responsive to the established priorities, the scanning comprising scanning files having established high priorities prior to scanning files having established low priorities.
2. The method of claim 1 wherein maintaining a non-tamperable record of modifications to files on a volume further comprises:
detecting modifications being made to files on the volume; and
storing a secure record of times at which modifications to files are made.
3. The method of claim 1 wherein maintaining a non-tamperable record of modifications to files on a volume further comprises:
detecting deletion of at least one file in the record of modifications on the volume; and
storing a secure record of the deletion.
4. The method of claim 1 wherein receiving at least one malicious code signature further comprises:
receiving at least one new malicious code signature.
5. The method of claim 1 wherein at least one of the steps is performed by at least one software component executing on at least one computing device from a group of computing devices consisting of:
a server;
a client;
a firewall;
an intrusion detection system;
a proxy;
a gateway; and
a switch.
6. The method of claim 1 wherein maintaining a non-tamperable record of modifications to files on a volume further comprises:
maintaining a non-tamperable record of modifications to at least some files.
7. A non-transitory computer readable storage medium containing executable program code for efficiently scanning files for malicious code, the computer program code comprising:
program code for maintaining a non-tamperable record of modifications to files on a volume, the record of modifications to files indicating modification statuses of the files, a modification status indicating when an associated file was last modified, wherein the program code for maintaining the non-tamperable record further comprises:
program code for, responsive to a first file being modified, monitoring the first file for a short period of time after the modification to determine whether the first file is deleted during the short period of time, and
program code for performing a step from a group of steps comprising:
responsive to the first file not being deleted during the short period of time, recording the modification to the first file, and
responsive to the first file being deleted during the short period of time, not recording the modification to the first file;
program code for receiving at least one malicious code signature;
program code for establishing a defined time period measured as an amount of time prior to a current time at which scanning is to be performed;
program code for establishing a high priority for files last modified within the defined time period;
program code for establishing a low priority for files last modified prior to the defined time period; and
program code for scanning files on the volume for the at least one malicious code signature responsive to the established priorities, the scanning comprising scanning files having established high priorities prior to scanning files having established low priorities.
8. The computer readable storage medium of claim 7 wherein the program code for maintaining a non-tamperable record of modifications to files on a volume further comprises:
program code for detecting modifications being made to files on the volume; and
program code for storing a secure record of times at which modifications to files are made.
9. The computer readable storage medium of claim 7 wherein the program code for maintaining a non-tamperable record of modifications to files on a volume further comprises:
program code for detecting deletion of at least one file in the record of modifications on the volume; and
program code for storing a secure record of the deletion.
10. The computer readable storage medium of claim 7 wherein the program code for receiving at least one malicious code signature further comprises:
program code for receiving at least one new malicious code signature.
11. The computer readable storage medium of claim 7 wherein at least some of the program code comprises program code for executing as part of a software component on at least one computing device from a group of computing devices consisting of:
a server;
a client;
a firewall;
an intrusion detection system;
a proxy;
a gateway; and
a switch.
12. The computer readable storage medium of claim 7 wherein the program code for maintaining a non-tamperable record of modifications to files on a volume further comprises:
program code for maintaining a non-tamperable record of modifications to at least some files.
13. A computer system for efficiently scanning files for malicious code, the computer system comprising:
a volume for storing files;
a processor for executing software portions; and
a computer readable storage medium containing executable software portions, the software portions comprising:
a software portion configured to maintain a non-tamperable record of modifications to files on the volume, the record of modifications to files indicating modification statuses of files, a modification status indicating when an associated file was last modified, wherein the software portion configured to maintain the non-tamperable record further comprises:
a software portion configured to, responsive to a first file being modified, monitor the first file for a short period of time after the modification to determine whether the first file is deleted during the short period of time, and
a software portion configured to perform a step from a group of steps comprising:
responsive to the first file not being deleted during the short period of time, recording the modification to the first file, and
responsive to the first file being deleted during the short period of time, not recording the modification to the first file;
a software portion configured to receive at least one malicious code signature;
a software portion configured to establish a defined time period measured as an amount of time prior to a current time at which scanning is to be performed;
a software portion configured to establish a high priority for files last modified within the defined time period;
a software portion configured to establish a low priority for files last modified prior to the defined time period; and
a software portion configured to scan files on the volume for the at least one malicious code signature responsive to the established priorities, the scanning comprising scanning files having established high priorities prior to scanning files having established low priorities.
14. The computer system of claim 13 wherein the software portion configured to maintain a non-tamperable record of modifications to files on the volume further comprises:
a software portion configured to detect modifications being made to files on the volume; and
a software portion configured to store a secure record of times at which modifications to files are made.
15. The computer system of claim 13 wherein the software portion configured to maintain a non-tamperable record of modifications to files on the volume further comprises:
a software portion configured to detect deletion of at least one file in the record of modifications on the volume; and
a software portion configured to store a secure record of the deletion.
16. The computer system of claim 13 wherein the software portion configured to receive at least one malicious code signature further comprises:
a software portion configured to receive at least one new malicious code signature.
17. The computer system of claim 13 wherein at least one of the software portions comprises a software portion configured to execute as part of a software component on at least one computing device from a group of computing devices consisting of:
a server;
a client;
a firewall;
an intrusion detection system;
a proxy;
a gateway; and
a switch.
18. The computer system of claim 13 wherein the software portion configured to maintain a non-tamperable record of modifications to files on the volume further comprises:
a software portion configured to maintain a non-tamperable record of modifications to at least some files.
19. The method of claim 1, wherein establishing priorities for scanning the files further comprises grouping the files responsive to the files' associated modification statuses and wherein the scanning comprises scanning the files within each group in the order in which the files occur on the volume.
20. The computer readable storage medium of claim 7, wherein the program code for establishing priorities for scanning the files further comprises program code for grouping the files responsive to the files' associated modification statuses and wherein the program code for scanning comprises program code for scanning the files within each group in the order in which the files occur on the volume.
21. The computer system of claim 13 wherein the software portion to scan the files further comprises a software portion configured to group the files responsive to the files' associated modification statuses and wherein the software portion to scan comprises software portion to scan the files within each group in the order in which the files occur on the volume.
US11/167,521 2005-06-27 2005-06-27 Efficient file scanning using secure listing of file modification times Active 2029-06-06 US7895654B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/167,521 US7895654B1 (en) 2005-06-27 2005-06-27 Efficient file scanning using secure listing of file modification times

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/167,521 US7895654B1 (en) 2005-06-27 2005-06-27 Efficient file scanning using secure listing of file modification times

Publications (1)

Publication Number Publication Date
US7895654B1 true US7895654B1 (en) 2011-02-22

Family

ID=43597231

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/167,521 Active 2029-06-06 US7895654B1 (en) 2005-06-27 2005-06-27 Efficient file scanning using secure listing of file modification times

Country Status (1)

Country Link
US (1) US7895654B1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070079377A1 (en) * 2005-09-30 2007-04-05 International Business Machines Corporation Virus scanning in a computer system
US20100251363A1 (en) * 2009-03-24 2010-09-30 Rade Todorovic Modified file tracking on virtual machines
EP2492833A1 (en) * 2011-02-28 2012-08-29 British Telecommunications Public Limited Company Method and apparatus for detecting malicious software
US20130179971A1 (en) * 2010-09-30 2013-07-11 Hewlett-Packard Development Company, L.P. Virtual Machines
CN105590053A (en) * 2015-12-18 2016-05-18 北京奇虎科技有限公司 Method and device for detecting unknown risks of starting items
US20180018458A1 (en) * 2016-07-14 2018-01-18 Mcafee, Inc. Mitigation of ransomware
US10360022B2 (en) 2016-01-13 2019-07-23 International Business Machines Corporation Software discovery scan optimization based on product priorities
US10623438B2 (en) * 2016-12-28 2020-04-14 Mcafee, Llc Detecting execution of modified executable code

Citations (86)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0636977A2 (en) 1993-07-29 1995-02-01 David Alan Chambers Method and apparatus for detection of computer viruses
US5452442A (en) 1993-01-19 1995-09-19 International Business Machines Corporation Methods and apparatus for evaluating and extracting signatures of computer viruses and other undesirable software entities
US5495607A (en) 1993-11-15 1996-02-27 Conner Peripherals, Inc. Network management system having virtual catalog overview of files distributively stored across network domain
US5572590A (en) 1994-04-12 1996-11-05 International Business Machines Corporation Discrimination of malicious changes to digital information using multiple signatures
US5675710A (en) 1995-06-07 1997-10-07 Lucent Technologies, Inc. Method and apparatus for training a text classifier
US5694569A (en) 1993-11-19 1997-12-02 Fischer; Addison M. Method for protecting a volatile file using a single hash
US5826249A (en) 1990-08-03 1998-10-20 E.I. Du Pont De Nemours And Company Historical database training method for neural networks
US5832527A (en) 1993-09-08 1998-11-03 Fujitsu Limited File management system incorporating soft link data to access stored objects
US5832208A (en) 1996-09-05 1998-11-03 Cheyenne Software International Sales Corp. Anti-virus agent for use with databases and mail servers
US5854916A (en) 1995-09-28 1998-12-29 Symantec Corporation State-based cache for antivirus software
US5884033A (en) 1996-05-15 1999-03-16 Spyglass, Inc. Internet filtering system for filtering data transferred over the internet utilizing immediate and deferred filtering actions
WO1999015966A1 (en) 1997-09-23 1999-04-01 Symantec Corporation Dynamic heuristic method for detecting computer viruses
US5944821A (en) 1996-07-11 1999-08-31 Compaq Computer Corporation Secure software registration and integrity assessment in a computer system
US5974549A (en) 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US6006242A (en) 1996-04-05 1999-12-21 Bankers Systems, Inc. Apparatus and method for dynamically creating a document
US6021510A (en) * 1997-11-24 2000-02-01 Symantec Corporation Antivirus accelerator
US6023723A (en) 1997-12-22 2000-02-08 Accepted Marketing, Inc. Method and system for filtering unwanted junk e-mail utilizing a plurality of filtering mechanisms
US6052709A (en) 1997-12-23 2000-04-18 Bright Light Technologies, Inc. Apparatus and method for controlling delivery of unsolicited electronic mail
WO2000028420A1 (en) 1998-11-09 2000-05-18 Symantec Corporation Antivirus accelerator for computer networks
US6072942A (en) 1996-09-18 2000-06-06 Secure Computing Corporation System and method of electronic mail filtering using interconnected nodes
US6092194A (en) 1996-11-08 2000-07-18 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6125459A (en) 1997-01-24 2000-09-26 International Business Machines Company Information storing method, information storing unit, and disk drive
US6161130A (en) 1998-06-23 2000-12-12 Microsoft Corporation Technique which utilizes a probabilistic classifier to detect "junk" e-mail by automatically updating a training and re-training the classifier based on the updated training set
US6253169B1 (en) 1998-05-28 2001-06-26 International Business Machines Corporation Method for improvement accuracy of decision tree based text categorization
US6298351B1 (en) 1997-04-11 2001-10-02 International Business Machines Corporation Modifying an unreliable training set for supervised classification
US6347310B1 (en) 1998-05-11 2002-02-12 Torrent Systems, Inc. Computer system and process for training of analytical models using large data sets
US20020035693A1 (en) 1998-03-02 2002-03-21 Eyres Kevin W. Modified license key entry for pre-installation of software
US20020038308A1 (en) 1999-05-27 2002-03-28 Michael Cappi System and method for creating a virtual data warehouse
US6370526B1 (en) 1999-05-18 2002-04-09 International Business Machines Corporation Self-adaptive method and system for providing a user-preferred ranking order of object sets
US20020046207A1 (en) 2000-06-30 2002-04-18 Seiko Epson Corporation Information distribution system, information distribution method, and computer program for implementing the method
WO2002033525A2 (en) 2000-10-17 2002-04-25 Chuang Shyne Song A method and system for detecting rogue software
US6397200B1 (en) 1999-03-18 2002-05-28 The United States Of America As Represented By The Secretary Of The Navy Data reduction system for improving classifier performance
US6397215B1 (en) 1999-10-29 2002-05-28 International Business Machines Corporation Method and system for automatic comparison of text classifications
US6401122B1 (en) 1996-07-19 2002-06-04 Fujitsu Limited Communication management apparatus
US20020073046A1 (en) 1999-07-30 2002-06-13 David Sancho Enrique System and method for secure network purchasing
US20020087649A1 (en) 2000-03-16 2002-07-04 Horvitz Eric J. Bounded-deferral policies for reducing the disruptiveness of notifications
US6421709B1 (en) 1997-12-22 2002-07-16 Accepted Marketing, Inc. E-mail filter and method thereof
US6424960B1 (en) 1999-10-14 2002-07-23 The Salk Institute For Biological Studies Unsupervised adaptation and classification of multiple classes and sources in blind signal separation
US6442606B1 (en) 1999-08-12 2002-08-27 Inktomi Corporation Method and apparatus for identifying spoof documents
US6456991B1 (en) 1999-09-01 2002-09-24 Hrl Laboratories, Llc Classification method and apparatus based on boosting and pruning of multiple classifiers
US20020138525A1 (en) 2000-07-31 2002-09-26 Eliyon Technologies Corporation Computer method and apparatus for determining content types of web pages
US20020147694A1 (en) 2001-01-31 2002-10-10 Dempsey Derek M. Retraining trainable data classifiers
US20020147782A1 (en) 2001-03-30 2002-10-10 Koninklijke Philips Electronics N.V. System for parental control in video programs based on multimedia content information
US20020178375A1 (en) 2001-01-31 2002-11-28 Harris Corporation Method and system for protecting against malicious mobile code
US20020194488A1 (en) 2001-06-19 2002-12-19 Cormack Christopher J. Method and apparatus for authenticating registry information
US20020194489A1 (en) 2001-06-18 2002-12-19 Gal Almogy System and method of virus containment in computer networks
US20020199186A1 (en) 1999-12-21 2002-12-26 Kamal Ali Intelligent system and methods of recommending media content items based on user preferences
US6502082B1 (en) 1999-06-01 2002-12-31 Microsoft Corp Modality fusion for object tracking with training system and method
US6505167B1 (en) 1999-04-20 2003-01-07 Microsoft Corp. Systems and methods for directing automated services for messaging and scheduling
US20030023875A1 (en) 2001-07-26 2003-01-30 Hursey Neil John Detecting e-mail propagated malware
US20030033587A1 (en) 2001-09-05 2003-02-13 Bruce Ferguson System and method for on-line training of a non-linear model for use in electronic commerce
US20030061287A1 (en) 2001-09-26 2003-03-27 Chee Yu Method and system for delivering files in digital file marketplace
US20030065926A1 (en) 2001-07-30 2003-04-03 Schultz Matthew G. System and methods for detection of new malicious executables
US6546416B1 (en) 1998-12-09 2003-04-08 Infoseek Corporation Method and system for selectively blocking delivery of bulk electronic mail
US20030110395A1 (en) 2001-12-10 2003-06-12 Presotto David Leo Controlled network partitioning using firedoors
US20030110280A1 (en) 2001-12-10 2003-06-12 Hinchliffe Alexander James Updating data from a source computer to groups of destination computers
US20030110393A1 (en) 2001-12-12 2003-06-12 International Business Machines Corporation Intrusion detection method and signature table
US20030115458A1 (en) 2001-12-19 2003-06-19 Dongho Song Invisable file technology for recovering or protecting a computer file system
US20030115479A1 (en) 2001-12-14 2003-06-19 Jonathan Edwards Method and system for detecting computer malwares by scan of process memory after process initialization
US20030154394A1 (en) 2002-02-13 2003-08-14 Levin Lawrence R. Computer virus control
US20030167402A1 (en) 2001-08-16 2003-09-04 Stolfo Salvatore J. System and methods for detecting malicious email transmission
US20030233352A1 (en) 2002-03-21 2003-12-18 Baker Andrey George Method and apparatus for screening media
US20040015554A1 (en) 2002-07-16 2004-01-22 Brian Wilson Active e-mail filter with challenge-response
US20040068663A1 (en) * 2002-10-07 2004-04-08 Sobel William E. Performance of malicious computer code detection
US6721721B1 (en) 2000-06-15 2004-04-13 International Business Machines Corporation Virus checking and reporting for computer database search results
EP1408393A2 (en) 2002-10-07 2004-04-14 Symantec Corporation Selective detection of malicious computer code
US20040103310A1 (en) 2002-11-27 2004-05-27 Sobel William E. Enforcement of compliance with network security policies
US6751789B1 (en) 1997-12-12 2004-06-15 International Business Machines Corporation Method and system for periodic trace sampling for real-time generation of segments of call stack trees augmented with call stack position determination
US20040117401A1 (en) 2002-12-17 2004-06-17 Hitachi, Ltd. Information processing system
US20040117641A1 (en) 2002-12-17 2004-06-17 Mark Kennedy Blocking replication of e-mail worms
US6772346B1 (en) 1999-07-16 2004-08-03 International Business Machines Corporation System and method for managing files in a distributed system using filtering
US20040220975A1 (en) 2003-02-21 2004-11-04 Hypertrust Nv Additional hash functions in content-based addressing
US6842861B1 (en) 2000-03-24 2005-01-11 Networks Associates Technology, Inc. Method and system for detecting viruses on handheld computers
US20050086499A1 (en) * 2001-05-22 2005-04-21 Hoefelmeyer Ralph S. System and method for malicious code detection
US6886099B1 (en) 2000-09-12 2005-04-26 Networks Associates Technology, Inc. Computer virus detection
US20050114708A1 (en) * 2003-11-26 2005-05-26 Destefano Jason Michael System and method for storing raw log data
US20050144202A1 (en) * 2003-12-19 2005-06-30 Chen Raymond C. System and method for supporting asynchronous data replication with very short update intervals
US6944555B2 (en) 1994-12-30 2005-09-13 Power Measurement Ltd. Communications architecture for intelligent electronic devices
US6952779B1 (en) 2002-10-01 2005-10-04 Gideon Cohen System and method for risk detection and analysis in a computer network
US6973578B1 (en) 2000-05-31 2005-12-06 Networks Associates Technology, Inc. System, method and computer program product for process-based selection of virus detection actions
US7024403B2 (en) 2001-04-27 2006-04-04 Veritas Operating Corporation Filter driver for identifying disk files by analysis of content
US7130981B1 (en) * 2004-04-06 2006-10-31 Symantec Corporation Signature driven cache extension for stream based scanning
US7188367B1 (en) * 2001-03-30 2007-03-06 Moafee, Inc. Virus scanning prioritization using pre-processor checking
US7331062B2 (en) * 2002-08-30 2008-02-12 Symantec Corporation Method, computer software, and system for providing end to end security protection of an online transaction
US7484094B1 (en) * 2004-05-14 2009-01-27 Symantec Corporation Opening computer files quickly and safely over a network
US7640586B1 (en) * 2003-07-07 2009-12-29 Mcafee, Inc. Reducing HTTP malware scanner latency using HTTP range queries for random access

Patent Citations (90)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5826249A (en) 1990-08-03 1998-10-20 E.I. Du Pont De Nemours And Company Historical database training method for neural networks
US5452442A (en) 1993-01-19 1995-09-19 International Business Machines Corporation Methods and apparatus for evaluating and extracting signatures of computer viruses and other undesirable software entities
US5398196A (en) 1993-07-29 1995-03-14 Chambers; David A. Method and apparatus for detection of computer viruses
EP0636977A2 (en) 1993-07-29 1995-02-01 David Alan Chambers Method and apparatus for detection of computer viruses
US5832527A (en) 1993-09-08 1998-11-03 Fujitsu Limited File management system incorporating soft link data to access stored objects
US5495607A (en) 1993-11-15 1996-02-27 Conner Peripherals, Inc. Network management system having virtual catalog overview of files distributively stored across network domain
US5694569A (en) 1993-11-19 1997-12-02 Fischer; Addison M. Method for protecting a volatile file using a single hash
US5572590A (en) 1994-04-12 1996-11-05 International Business Machines Corporation Discrimination of malicious changes to digital information using multiple signatures
US6944555B2 (en) 1994-12-30 2005-09-13 Power Measurement Ltd. Communications architecture for intelligent electronic devices
US5675710A (en) 1995-06-07 1997-10-07 Lucent Technologies, Inc. Method and apparatus for training a text classifier
US5854916A (en) 1995-09-28 1998-12-29 Symantec Corporation State-based cache for antivirus software
US6006242A (en) 1996-04-05 1999-12-21 Bankers Systems, Inc. Apparatus and method for dynamically creating a document
US5884033A (en) 1996-05-15 1999-03-16 Spyglass, Inc. Internet filtering system for filtering data transferred over the internet utilizing immediate and deferred filtering actions
US5944821A (en) 1996-07-11 1999-08-31 Compaq Computer Corporation Secure software registration and integrity assessment in a computer system
US6401122B1 (en) 1996-07-19 2002-06-04 Fujitsu Limited Communication management apparatus
US5832208A (en) 1996-09-05 1998-11-03 Cheyenne Software International Sales Corp. Anti-virus agent for use with databases and mail servers
US6072942A (en) 1996-09-18 2000-06-06 Secure Computing Corporation System and method of electronic mail filtering using interconnected nodes
US6092194A (en) 1996-11-08 2000-07-18 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6125459A (en) 1997-01-24 2000-09-26 International Business Machines Company Information storing method, information storing unit, and disk drive
US5974549A (en) 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US6298351B1 (en) 1997-04-11 2001-10-02 International Business Machines Corporation Modifying an unreliable training set for supervised classification
WO1999015966A1 (en) 1997-09-23 1999-04-01 Symantec Corporation Dynamic heuristic method for detecting computer viruses
US6021510A (en) * 1997-11-24 2000-02-01 Symantec Corporation Antivirus accelerator
US6094731A (en) 1997-11-24 2000-07-25 Symantec Corporation Antivirus accelerator for computer networks
US6751789B1 (en) 1997-12-12 2004-06-15 International Business Machines Corporation Method and system for periodic trace sampling for real-time generation of segments of call stack trees augmented with call stack position determination
US6023723A (en) 1997-12-22 2000-02-08 Accepted Marketing, Inc. Method and system for filtering unwanted junk e-mail utilizing a plurality of filtering mechanisms
US6421709B1 (en) 1997-12-22 2002-07-16 Accepted Marketing, Inc. E-mail filter and method thereof
US6052709A (en) 1997-12-23 2000-04-18 Bright Light Technologies, Inc. Apparatus and method for controlling delivery of unsolicited electronic mail
US20020035693A1 (en) 1998-03-02 2002-03-21 Eyres Kevin W. Modified license key entry for pre-installation of software
US6347310B1 (en) 1998-05-11 2002-02-12 Torrent Systems, Inc. Computer system and process for training of analytical models using large data sets
US6253169B1 (en) 1998-05-28 2001-06-26 International Business Machines Corporation Method for improvement accuracy of decision tree based text categorization
US6161130A (en) 1998-06-23 2000-12-12 Microsoft Corporation Technique which utilizes a probabilistic classifier to detect "junk" e-mail by automatically updating a training and re-training the classifier based on the updated training set
WO2000028420A1 (en) 1998-11-09 2000-05-18 Symantec Corporation Antivirus accelerator for computer networks
US6546416B1 (en) 1998-12-09 2003-04-08 Infoseek Corporation Method and system for selectively blocking delivery of bulk electronic mail
US6397200B1 (en) 1999-03-18 2002-05-28 The United States Of America As Represented By The Secretary Of The Navy Data reduction system for improving classifier performance
US6505167B1 (en) 1999-04-20 2003-01-07 Microsoft Corp. Systems and methods for directing automated services for messaging and scheduling
US6370526B1 (en) 1999-05-18 2002-04-09 International Business Machines Corporation Self-adaptive method and system for providing a user-preferred ranking order of object sets
US20020038308A1 (en) 1999-05-27 2002-03-28 Michael Cappi System and method for creating a virtual data warehouse
US6502082B1 (en) 1999-06-01 2002-12-31 Microsoft Corp Modality fusion for object tracking with training system and method
US6772346B1 (en) 1999-07-16 2004-08-03 International Business Machines Corporation System and method for managing files in a distributed system using filtering
US20020073046A1 (en) 1999-07-30 2002-06-13 David Sancho Enrique System and method for secure network purchasing
US6442606B1 (en) 1999-08-12 2002-08-27 Inktomi Corporation Method and apparatus for identifying spoof documents
US6456991B1 (en) 1999-09-01 2002-09-24 Hrl Laboratories, Llc Classification method and apparatus based on boosting and pruning of multiple classifiers
US6424960B1 (en) 1999-10-14 2002-07-23 The Salk Institute For Biological Studies Unsupervised adaptation and classification of multiple classes and sources in blind signal separation
US6397215B1 (en) 1999-10-29 2002-05-28 International Business Machines Corporation Method and system for automatic comparison of text classifications
US20020199186A1 (en) 1999-12-21 2002-12-26 Kamal Ali Intelligent system and methods of recommending media content items based on user preferences
US20020199194A1 (en) 1999-12-21 2002-12-26 Kamal Ali Intelligent system and methods of recommending media content items based on user preferences
US20020087649A1 (en) 2000-03-16 2002-07-04 Horvitz Eric J. Bounded-deferral policies for reducing the disruptiveness of notifications
US6842861B1 (en) 2000-03-24 2005-01-11 Networks Associates Technology, Inc. Method and system for detecting viruses on handheld computers
US6973578B1 (en) 2000-05-31 2005-12-06 Networks Associates Technology, Inc. System, method and computer program product for process-based selection of virus detection actions
US6721721B1 (en) 2000-06-15 2004-04-13 International Business Machines Corporation Virus checking and reporting for computer database search results
US20020046207A1 (en) 2000-06-30 2002-04-18 Seiko Epson Corporation Information distribution system, information distribution method, and computer program for implementing the method
US20020138525A1 (en) 2000-07-31 2002-09-26 Eliyon Technologies Corporation Computer method and apparatus for determining content types of web pages
US6886099B1 (en) 2000-09-12 2005-04-26 Networks Associates Technology, Inc. Computer virus detection
WO2002033525A2 (en) 2000-10-17 2002-04-25 Chuang Shyne Song A method and system for detecting rogue software
US20040039921A1 (en) 2000-10-17 2004-02-26 Shyne-Song Chuang Method and system for detecting rogue software
US20020178375A1 (en) 2001-01-31 2002-11-28 Harris Corporation Method and system for protecting against malicious mobile code
US20020147694A1 (en) 2001-01-31 2002-10-10 Dempsey Derek M. Retraining trainable data classifiers
US20020147782A1 (en) 2001-03-30 2002-10-10 Koninklijke Philips Electronics N.V. System for parental control in video programs based on multimedia content information
US7188367B1 (en) * 2001-03-30 2007-03-06 Moafee, Inc. Virus scanning prioritization using pre-processor checking
US7024403B2 (en) 2001-04-27 2006-04-04 Veritas Operating Corporation Filter driver for identifying disk files by analysis of content
US20050086499A1 (en) * 2001-05-22 2005-04-21 Hoefelmeyer Ralph S. System and method for malicious code detection
US20020194489A1 (en) 2001-06-18 2002-12-19 Gal Almogy System and method of virus containment in computer networks
US20020194488A1 (en) 2001-06-19 2002-12-19 Cormack Christopher J. Method and apparatus for authenticating registry information
US20030023875A1 (en) 2001-07-26 2003-01-30 Hursey Neil John Detecting e-mail propagated malware
US20030065926A1 (en) 2001-07-30 2003-04-03 Schultz Matthew G. System and methods for detection of new malicious executables
US20030167402A1 (en) 2001-08-16 2003-09-04 Stolfo Salvatore J. System and methods for detecting malicious email transmission
US20030033587A1 (en) 2001-09-05 2003-02-13 Bruce Ferguson System and method for on-line training of a non-linear model for use in electronic commerce
US20030061287A1 (en) 2001-09-26 2003-03-27 Chee Yu Method and system for delivering files in digital file marketplace
US20030110395A1 (en) 2001-12-10 2003-06-12 Presotto David Leo Controlled network partitioning using firedoors
US20030110280A1 (en) 2001-12-10 2003-06-12 Hinchliffe Alexander James Updating data from a source computer to groups of destination computers
US20030110393A1 (en) 2001-12-12 2003-06-12 International Business Machines Corporation Intrusion detection method and signature table
US20030115479A1 (en) 2001-12-14 2003-06-19 Jonathan Edwards Method and system for detecting computer malwares by scan of process memory after process initialization
US20030115458A1 (en) 2001-12-19 2003-06-19 Dongho Song Invisable file technology for recovering or protecting a computer file system
US20030154394A1 (en) 2002-02-13 2003-08-14 Levin Lawrence R. Computer virus control
US20030233352A1 (en) 2002-03-21 2003-12-18 Baker Andrey George Method and apparatus for screening media
US20040015554A1 (en) 2002-07-16 2004-01-22 Brian Wilson Active e-mail filter with challenge-response
US7331062B2 (en) * 2002-08-30 2008-02-12 Symantec Corporation Method, computer software, and system for providing end to end security protection of an online transaction
US6952779B1 (en) 2002-10-01 2005-10-04 Gideon Cohen System and method for risk detection and analysis in a computer network
US20040068663A1 (en) * 2002-10-07 2004-04-08 Sobel William E. Performance of malicious computer code detection
EP1408393A2 (en) 2002-10-07 2004-04-14 Symantec Corporation Selective detection of malicious computer code
US20040103310A1 (en) 2002-11-27 2004-05-27 Sobel William E. Enforcement of compliance with network security policies
US20040117401A1 (en) 2002-12-17 2004-06-17 Hitachi, Ltd. Information processing system
US20040117641A1 (en) 2002-12-17 2004-06-17 Mark Kennedy Blocking replication of e-mail worms
US20040220975A1 (en) 2003-02-21 2004-11-04 Hypertrust Nv Additional hash functions in content-based addressing
US7640586B1 (en) * 2003-07-07 2009-12-29 Mcafee, Inc. Reducing HTTP malware scanner latency using HTTP range queries for random access
US20050114708A1 (en) * 2003-11-26 2005-05-26 Destefano Jason Michael System and method for storing raw log data
US20050144202A1 (en) * 2003-12-19 2005-06-30 Chen Raymond C. System and method for supporting asynchronous data replication with very short update intervals
US7130981B1 (en) * 2004-04-06 2006-10-31 Symantec Corporation Signature driven cache extension for stream based scanning
US7484094B1 (en) * 2004-05-14 2009-01-27 Symantec Corporation Opening computer files quickly and safely over a network

Non-Patent Citations (10)

* Cited by examiner, † Cited by third party
Title
"Enterprise Protection Strategy" [online] Trend Micro Inc. [retrieved Dec. 3, 2002] Retrieved from the Internet: . Cupertino, California.
"Enterprise Protection Strategy" [online] Trend Micro Inc. [retrieved Dec. 3, 2002] Retrieved from the Internet: <URL: http://www.trendmicro.com/en/products/eps/features.htm>. Cupertino, California.
"How to Test Outbreak Commander", :Trend Micro Inc., Aug. 2002, pp. 1-13, Cupertino, CA.
Bolosky, W., Corbin, S., Goebel, D., and Douceur, J., "Single Instance Storage in Windows 2000", Microsoft Research, Balder Technology Group, Inc., [online] [retrieved Oct. 11, 2002] Retrieved from the Internet . U.S.A.
Bolosky, W., Corbin, S., Goebel, D., and Douceur, J., "Single Instance Storage in Windows 2000", Microsoft Research, Balder Technology Group, Inc., [online] [retrieved Oct. 11, 2002] Retrieved from the Internet <URL: http://research.microsoft.com/sn/farsite/wss2000.pdf>. U.S.A.
Bontchev, Vesselin, "Possible Macro Virus Attacks and How to Prevent Them", Computers & Security, vol. 15, No. 7, pp. 595-626, 1996, Reykjavik, Iceland.
Burchell, Jonathan, "NetShield 1.5", Virus Bulletin, Oxfordshire, England, Aug. 1994, pp. 21-23, XP 000617453.
Morar, J. E. and Chess, D. M., "Can Cryptography Prevent Computer Viruses?", Virus Bulletin Conference 2000, Oxfordshire, England, Sep. 2000, pp. 127-138, Virus Bulletin Ltd.
Wikipedia.org web pages [online], Wikipedia, [retrieved Mar. 17, 2003] Retrieved from the Internet: . U.S.A.
Wikipedia.org web pages [online], Wikipedia, [retrieved Mar. 17, 2003] Retrieved from the Internet: <ULR: http://www.wikipedia.org/w/wiki.phintl?title=machine learning and printable=yes>. U.S.A.

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070079377A1 (en) * 2005-09-30 2007-04-05 International Business Machines Corporation Virus scanning in a computer system
US9235703B2 (en) * 2005-09-30 2016-01-12 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Virus scanning in a computer system
US20100251363A1 (en) * 2009-03-24 2010-09-30 Rade Todorovic Modified file tracking on virtual machines
US9177145B2 (en) * 2009-03-24 2015-11-03 Sophos Limited Modified file tracking on virtual machines
US20130179971A1 (en) * 2010-09-30 2013-07-11 Hewlett-Packard Development Company, L.P. Virtual Machines
EP2492833A1 (en) * 2011-02-28 2012-08-29 British Telecommunications Public Limited Company Method and apparatus for detecting malicious software
CN105590053A (en) * 2015-12-18 2016-05-18 北京奇虎科技有限公司 Method and device for detecting unknown risks of starting items
CN105590053B (en) * 2015-12-18 2018-11-09 北京奇虎科技有限公司 The detection method and device of startup item control unknown risks
US10360022B2 (en) 2016-01-13 2019-07-23 International Business Machines Corporation Software discovery scan optimization based on product priorities
US20180018458A1 (en) * 2016-07-14 2018-01-18 Mcafee, Inc. Mitigation of ransomware
US10831893B2 (en) * 2016-07-14 2020-11-10 Mcafee, Llc Mitigation of ransomware
US11941119B2 (en) 2016-07-14 2024-03-26 Mcafee, Llc Mitigation of ransomware
US10623438B2 (en) * 2016-12-28 2020-04-14 Mcafee, Llc Detecting execution of modified executable code
US11363058B2 (en) * 2016-12-28 2022-06-14 Mcafee, Llc Detecting execution of modified executable code

Similar Documents

Publication Publication Date Title
US8646080B2 (en) Method and apparatus for removing harmful software
US7895654B1 (en) Efficient file scanning using secure listing of file modification times
US8397297B2 (en) Method and apparatus for removing harmful software
US8719935B2 (en) Mitigating false positives in malware detection
US7818802B2 (en) Refining behavioral detections for early blocking of malicious code
US9754102B2 (en) Malware management through kernel detection during a boot sequence
US7841006B2 (en) Discovery of kernel rootkits by detecting hidden information
US9679136B2 (en) Method and system for discrete stateful behavioral analysis
US8572371B2 (en) Discovery of kernel rootkits with memory scan
EP2452287B1 (en) Anti-virus scanning
US8087084B1 (en) Security for scanning objects
US8353033B1 (en) Collecting malware samples via unauthorized download protection
US8225405B1 (en) Heuristic detection malicious code blacklist updating and protection system and method
US8719924B1 (en) Method and apparatus for detecting harmful software
RU2487405C1 (en) System and method for correcting antivirus records
US8122507B1 (en) Efficient scanning of objects
US8307434B2 (en) Method and system for discrete stateful behavioral analysis
EP2570955A1 (en) Restoration of file damage caused by malware
US8443445B1 (en) Risk-aware scanning of objects
US20110197277A1 (en) System and method for prioritizing computers based on anti-malware events
US8205261B1 (en) Incremental virus scan
US9740865B2 (en) System and method for configuring antivirus scans
US7346611B2 (en) System and method for accessing data from a data storage medium
US20150199516A1 (en) Execution profile assembly using branch records
US8353038B1 (en) Monitoring and managing changes to non-structured storage of system configuration information

Legal Events

Date Code Title Description
STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552)

Year of fee payment: 8

AS Assignment

Owner name: JPMORGAN, N.A., NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNORS:SYMANTEC CORPORATION;BLUE COAT LLC;LIFELOCK, INC,;AND OTHERS;REEL/FRAME:050926/0560

Effective date: 20191104

AS Assignment

Owner name: NORTONLIFELOCK INC., CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:SYMANTEC CORPORATION;REEL/FRAME:053306/0878

Effective date: 20191104

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12

AS Assignment

Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, NORTH CAROLINA

Free format text: SECURITY AGREEMENT;ASSIGNOR:NORTONLIFELOCK INC.;REEL/FRAME:062220/0001

Effective date: 20220912

Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, NORTH CAROLINA

Free format text: NOTICE OF SUCCESSION OF AGENCY (REEL 050926 / FRAME 0560);ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:061422/0371

Effective date: 20220912